Platform
wordpress
Component
advanced-classifieds-and-directory-pro
Fixed in
3.1.4
CVE-2024-37501 describes a Path Traversal vulnerability discovered in PluginsWare Advanced Classifieds & Directory Pro. This flaw allows attackers to potentially access sensitive files and directories on the web server by manipulating file paths. The vulnerability impacts versions of the plugin up to and including 3.1.3, and a patch is available in version 3.1.4.
The Path Traversal vulnerability allows an attacker to bypass intended access restrictions and retrieve files from directories they shouldn't be able to access. Successful exploitation could lead to the exposure of sensitive configuration files, database credentials, source code, or other critical data. Depending on the server's configuration and the files accessible, this could lead to complete compromise of the web server. While no direct precedent for this specific plugin is immediately apparent, path traversal vulnerabilities are frequently exploited to gain unauthorized access to system resources, similar to attacks targeting Apache Struts or other web applications with file inclusion flaws.
CVE-2024-37501 was publicly disclosed on July 9, 2024. There is currently no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is pending evaluation. No public proof-of-concept exploits have been identified at the time of this writing, but the ease of exploitation inherent in path traversal vulnerabilities suggests that a PoC could emerge quickly.
Exploit Status
EPSS
1.46% (81% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-37501 is to immediately upgrade Advanced Classifieds & Directory Pro to version 3.1.4 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. These may include restricting file access permissions on the server, implementing stricter input validation to sanitize file paths, and using a Web Application Firewall (WAF) to block requests containing suspicious path traversal patterns. After upgrading, verify the fix by attempting to access files outside of the intended directory via a web request; access should be denied.
Actualice el plugin Advanced Classifieds & Directory Pro a la última versión disponible. La vulnerabilidad de inclusión de archivos locales (LFI) se corrige en versiones posteriores a la 3.1.3. Consulte el registro de cambios del plugin para obtener más detalles sobre la corrección.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-37501 is a Path Traversal vulnerability affecting Advanced Classifieds & Directory Pro versions up to 3.1.3, allowing attackers to access arbitrary files on the server.
You are affected if you are using Advanced Classifieds & Directory Pro version 3.1.3 or earlier. Upgrade to 3.1.4 to mitigate the risk.
Upgrade Advanced Classifieds & Directory Pro to version 3.1.4 or later. If immediate upgrade is not possible, implement temporary workarounds like WAF rules and file permission restrictions.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature suggests potential for rapid exploitation.
Refer to the PluginsWare website and WordPress plugin repository for the latest advisory and update information regarding CVE-2024-37501.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.